1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
From 20df3417ee86fe19d6ee085492efd076142c6e8f Mon Sep 17 00:00:00 2001
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Fri, 10 May 2024 14:35:43 +0200
Subject: [PATCH] Support DIRECT connect exceptions for nat+ rules via nat-
rules.
Signed-off-by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
---
uif.pl | 34 +++++++++++++++++++++++-----------
1 file changed, 23 insertions(+), 11 deletions(-)
--- a/uif.pl
+++ b/uif.pl
@@ -559,18 +559,30 @@
}
$$rule{'Action'}='MASQUERADE';
} elsif ($type =~ /^(s|d|)nat$/) {
- if (exists($$rule{'TranslatedSource'})) {
- $$rule{'Type'}='POSTROUTING';
- $$rule{'Action'}='SNAT';
- } elsif (exists($$rule{'TranslatedDestination'})) {
- $$rule{'Type'}='PREROUTING';
- $$rule{'Action'}='DNAT';
- } else {
- die "nat rule without address translation makes no sense:\n$$rule{'Rule'}\n";
+ if ($action eq '+') {
+ if (exists($$rule{'TranslatedSource'})) {
+ $$rule{'Type'}='POSTROUTING';
+ $$rule{'Action'}='SNAT';
+ } elsif (exists($$rule{'TranslatedDestination'})) {
+ $$rule{'Type'}='PREROUTING';
+ $$rule{'Action'}='DNAT';
+ } else {
+ die "nat rule without address translation makes no sense:\n$$rule{'Rule'}\n";
+ }
+ }
+ else {
+ # This looks counter-intuitive. It is not, though.
+ # Remember:
+ # nat+ -> do the NAT -> iptables action: MASQUERADE
+ # nat- -> don't NAT, do connect directly -> iptables action: ACCEPT
+ $$rule{'Action'}='ACCEPT';
+ if ($type =~ /^snat$/) {
+ $$rule{'Type'}='POSTROUTING';
+ }
+ elsif ($type =~ /^dnat$/) {
+ $$rule{'Type'}='PREROUTING';
+ }
}
- }
- if ($action eq '-') {
- $$rule{'Action'}='DROP';
}
} elsif ($ruletype =~ /^\s*(in|out|fw|slin|slout|slfw)(\+|-|\||>|{\w+})$/) {
my $type = $1;
|
